 Hi everyone, my name is Khan, I'm a PhD student at IBM Research Zurich and today I'm going to talk about our new paper called a non-PCP approach to succinct quantum state zero knowledge. This is joint work with Jonathan Boto, Vadim Lyubachevsky and Gregor Seiler. So in particular, this approach is related to lattice-based zero-knowledge proofs, which can be summarized as the problem of proving knowledge of a short vector S such that AS is equal to U, AS is equal to U mod Q. So there have been many recent works which prove this or similar relation and the main advantages are of this approach as it follows. First of all, they rely on the quantum-save assumptions such as CIS or LWE and also they can be implemented efficiently. So addition can be implemented straightforwardly but then we have multiplication which can be implemented using entities for example. So the main drawback is that the proof size is linear in the number of committed messages. So it is still fine for some applications such as group signatures or verifiable encryption but maybe for some other big scenarios, this is the proof size basically blows. Therefore, one can use a more kind of a generic approach which is the PCP approach such as Aurora or Ligero. So one could just transform this equation AS equals U into the underlying problem for these proof systems such as R1 CS and then one could just apply the generic proof system and then one can basically apply one of those protocols. So it is quantum-save because they rely on the collision-resistant hash functions but the proof size becomes sublinear. As synthetically, this is better than using lattice commitments technique. However, it is pretty slow compared to the lattices and in some cases the speed can be much more important than the proof size. So for example, when we want to implement protocols on constrained devices such as credit cards then we want to have efficient implementations. The motivation for this paper is for this talk is basically to construct purely lattice-based zero-knowledge proofs which get the advantages of these two worlds. So we want to have something which is sublinear but also is fast. So our contributions can be split into two protocols which are called level commitments and the lattice-based bullet proofs. Okay, so let's just focus on the first one. Okay, so let's start with the level one which is the previous work. So there is a paper at Crypto18 by Balm et al which provides the lattice-based zero-knowledge proof of a commitment opening with which is with the sublinear proof size. So the commitment is the standard SIS commitment and the proof size is asymptotically square root of n where n is the number of secret integers. So later on they show how to use that for proving surface satisfiability. Okay, so let's sketch out the protocol which is relatively simple. So the statement is AS is equal to T mod Q so AS and TR matrices and S already contains the randomness, okay? Okay, so S contains the randomness. The commitment is hiding and binding based on the SIS hardness. Okay, so the protocol is as follows. So there's a proof for Mario. It has the secret matrix S which is short and the commitment T. So Verifier only has T. So the prover at the beginning samples some Y that's used for the rejection sampling and then sends W which is AY. So it sends W. Later on the verifier gets the challenge matrix C. It will be binary in our case. It sends the challenge C. Then the prover sets Z to be equal to Y plus SC. It applies rejection sampling and it sends Z. Then the verifier checks two things. Firstly, if Z is small and then if AZ is equal to W plus TC. So correctness follows immediately because AZ, well, Z is equal to Y plus SC. So AZ is equal to AY plus SC which is equal to W plus TC. Now the proof size is the size of T and the size of C and the size of Z. So now we have to define what the dimensions are, unfortunately. So suppose that S is a matrix of dimensions N times M. A is K times N and capital N will be defined by N times M. So it's the number of integers inside the matrix S. By defining new variables we set TY and C and Z. So T is the matrix of dimensions K times N. Y is of dimensions N times V. C is of dimensions M times V and Z is of dimensions N times V. So the proof size can be simply bounded by KM times log Q. So this is the size of T plus MV which is the size of C. But later on we are just going to neglect the sizes of the challenges because they are small. And then we have the size of Z which is MV times log of 12 sigma which comes from the rejection sampling. So basically we want to, the idea is to pick parameters such that the sizes of the first two terms, well, the size of that is all similar to the size of the last term. So then if we choose parameters in such a way and in a way so that the size is hard and so on, the process can be bounded by the poly of lambda where lambda is the security parameter times big O of N plus M. But then N plus M will be kind of almost equal. Then this implies that it's the proof size becomes poly of lambda times almost square root of N asymptotically. Yeah, so this is kind of the idea of that paper which is called the level one. So now in the level two we will actually show how to get the cube root of N proof size. Okay, so level two. So suppose we have a secret matrix S of dimensions M1 and 2 times M3. So now the S has N integers in it which is equal to M1 times M2 and M times M3. So the elements in S are small. They belong to set P and P is small. Okay, so first of all let us write S. Let us write the S M1 matrices. So we will split S into S1, S2 up to SM1 where each SI has dimensions M2 times M3. So for Q which is less or equal, well for Q2 which is much smaller than Q1 the cube, the commitment becomes T is equal to, so okay so this might be a little bit scary but let's go through it slowly. T is equal to A1 times kind of a long matrix for the kind of complicated expression for the matrix. So identity M1 tensor A2 times S mod Q2 and the whole thing mod Q1. So in other words we can write that A1 times the matrix which contains the matrices A2 S1 mod Q2, A2 S2 mod Q2 up to A2 SM1 mod Q2 and the whole thing mod Q1. Okay, so why do we need the two moduli? The answer is that they will be useful for the binding property. Okay, so we have this definition of this level of commitment for the level two. So we say that the relaxed opening of T, so what we actually going to extract in the soundness group, the relaxed opening of T is a pair of small matrices S and R such that T is equal to A1 times, so we have this matrix in it inside. So identity M1 tensor A2 times S mod Q2 plus Q2 R, so this is this additional term and the whole thing mod Q1. So now let's see why we have this binding property. So suppose an adversary finds two different pairs S, R and S prime R prime, then we have the equality here. So first of all we can see that so we have A1 times something, some matrix and it's going to be small. I mean the matrix inside is small because R is small and Q2 is much smaller than Q1. So that's why the matrix which is in, which is multiplied by A1 is small. So therefore by the cis hardness of A1 mod Q1 we must have that these inner matrices are the same. So in particular identity M1 tensor A2 times S mod Q2 plus Q2 R is equal to identity M1 tensor A2 times S prime mod Q2 plus Q2 R prime. So from that we simply have that R is equal to R prime and identity M1 tensor A2 S is equal to identity M1 tensor A2 S prime mod Q2. Similarly we can argue that by the cis hardness of A2 mod Q2 we get that S is equal to S prime. So from that we get the binding property. So the level two basically is now. So the prover has S which is small and the statement is T is equal to A1 times that matrix identity tensor A2 S mod Q2 and the whole thing mod Q1. So let us write this inner, this matrix in the big brackets SS prime. Then the statement just becomes the level one protocol because S prime with the S prime being let's say secret. So obviously S prime is not short so we don't have to do the rejection something but okay so let's see how the first part of the protocol looks like. Okay so this we can for now we can ignore the first part because this will be useful rejection something at the end but yeah so the prover generates some Y, small Y and then it writes W which is equal to A2 Y and it sends W. Then the verifier sends the challenge C1 and then the prover sends V which is equal to S prime C1. So then the verifier checks that A1 V which is equal to A1 S prime C1 which is equal to TC1. So this protocol is very similar to the level one protocol right without rejection sampling. So what we have left to do is that we have to prove well-formedness of S prime. So this means that having sent the V which is S prime C1 we need to prove that V is equal to identity M1 tensor A2 times SC1 mod Q2. Okay so V is equal to as I said before V is equal to identity tensor A2 times S mod Q2 times C1. So we can alternatively write it as V is equal to the matrix A2 S1 mod Q2 A2 S2 mod Q2 up to A2 SM1 mod Q2 times C1. So if we write V as if we split V into M1 matrices like sub matrices then we get that VI is equal to A2 SI mod Q2 times C1. So now if we take the kind of a block transpose of V so we just take the transpose of the sub matrices VI then the matrix V1 V2 up to VM1 is equal to A2 times the matrix S1 C1 S2 C1 up to SM1 C1 mod Q2. So actually this becomes kind of a statement for the level one right. So on the left hand side we have a matrix which is public is equal to A2 which is public times a matrix which is small. This method of writing V into M1 matrices and then taking the block transpose we will call it folding. So now we can just continue with our with the level one protocol right. So the verifier will send C2 then we do the rejection sampling. So we write Z is equal to Y plus S1 C1 S2 C1 up to SM1 C1 times C2 then do the rejection sampling then we send Z and then the verifier checks that Z is small and A2 Z is equal to W plus this block transpose of V which is V1 up to VM1 times C2. So now the proof size becomes the size of T plus the size of V plus the size of Z. So if one figures out all the dimensions then each of them corresponds to different MI. So if we find parameters such as the sizes of T, V and Z are similar then the proof becomes basically poly of lambda times big O of N to the one-third. So in the paper we generalize this approach to many levels so if we have D levels then the proof size becomes asymptotically essentially N to the 1 over D plus 1. Also it is worth mentioning that D has to be a constant because otherwise if D is not a constant for example if D is log N then the extractor for soundness becomes inefficient indeed. So asymptotically the runtime of the extractor is something around like lambda to the D. Unless D is a constant the runtime of the extractor is not polynomial time. Okay so now let's switch to the lattice-based bullet proofs so we don't really have much time but it's okay to to give a high-level idea for that. So it is inspired by the original bullet proofs protocol and the main observation is as follows. So again we have some statement like A, S is equal to T but now we split A and S into two parts so we have A0, A1 and then the vector S0 and S1 so they have equal length. So then for any scalar C we have that C A0 plus A1 times S0 plus C S1 is equal to some cross terms W0 plus CT plus C squared W1 so W0 is A1 S0 and W1 is A0 S1. So if we send W0 and W1 to the verifier then we end up proving a kind of a similar equation. So it is of the form B S prime is equal to T prime and B is C A0 plus A1 S prime is S0 plus C S1 and T prime is W0 plus CT plus C squared W1. But now S prime is two times shorter than the original secret vector S so this means that we reduce the the length of the secret vector. Okay so how does the protocol look like? So for simplicity let us work over the polynomial ring. So A is A has only one row and one row and M columns. M is let's say very long and it's over RQ is ZQ of X modulo X to the n plus 1. So the statement is AS is equal to T where T is a polynomial. So we have the prover let's say Luigi this time. So he has the secret vector S obviously it's short and T. So the first step would be to send the cross terms just like before we send the W0 and W1 so W0 is A1 S S0 W1 is A0 S1 then the verifier selects some scalar C and then the prover sends S0 plus C S1. So it will send Z and then the verifier would check that C A0 plus A1 times Z is W0 plus CT plus C square W1. However this would require to send to actually send the Z and Z has the length M over 2 basically. So this would be quite expensive so apart so instead of doing that we could just continue with another round and prove that C A0 plus A1 Z is equal to W0 plus CT plus C square W1. So we can do that until it's not expensive to send the mast opening set basically. By calculating the sizes and choosing appropriate parameters we get the proof sizes polylogarithmic in n so n this capital N is now small n times n. In conclusion we have two protocols with two different approaches which have their advantages and disadvantages so let's just go through them. So the level commitments have the sublinear proof size and it's your knowledge but okay so the the second disadvantage is we have already explained that so the proof size is not polylogarithmic because D has to be a constant. Moreover there is this massive slack for large D so what do we mean by slack? So we say that that when the slack is big it means that when we when we do the knowledge extraction then the extractor finds the secret short vector or matrix S prime which is much much larger than the original witness S. So when we say larger we mean the let's say infinity norm or the L2 norm and so on. Basically both approaches have massive slack and this is because when we do one round then the slack is maybe okay in practice but then if we do it in multiple rounds then the slack grows exponentially that's why the extracted witness becomes very large usually zero knowledge proofs is one part of some higher level protocol and if the slack is big then all the other components of this of the protocol have to accommodate for that okay but for the lattice based bullet proofs we get the polylogarithmic proof size so there is no zero knowledge just like the original bullet proofs and there is this massive slack. Okay so thank you very much for listening and for watching. Here is the link for the full version of the paper. Thanks. Bye.